“Aftershock password breaches” can affect organizations that have not experienced a breach of their own data. They occur when a data breach and passwords from first-hand data breaches become available to criminals and hackers. Organizations that see repeated unauthorized log-ins need to notify their customers that their data might have been misused.

Action step: Strengthen data protection and make unauthorized log-ins more difficult by using two-part or multi-part authentication protocols. As the name implies, two-part authentication requires more than a password. The user must provide something additional, such as a physical object like a bank card or USB stick with a code; provide secret information, such as a PIN or code from a text message; or match a biometric marker on file, such as a fingerprint, voice, eye iris, etc. Of course, these actions should be part of your comprehensive cyber security plan.

Many organizations today use or store PII. PII is information that can be used to uniquely identify, contact or locate a single person. PII includes but is not limited to:

• Full name

• Social Security number

• Address

• Date of birth

• Place of birth

• Driver’s license number

• Vehicle registration plate number

• Credit card numbers

• Physical appearance

• Gender or race

When someone’s PII you have stored is stolen or compromised, you are responsible for notifying them of the breach. That costs time, money and reputation. If criminals use PII for identity theft, you could be liable for helping victims resolve the problem, a costly and time-consuming process.

The National Cyber Security Alliance (NCSA), a public/private consortium, reports that 69 percent of small businesses have “…sensitive information, including customer data.” Hackers are increasingly focusing on small businesses, knowing that they have fewer resources to protect their data. The NCSA also points out that only half of small businesses (52 percent) “have a plan or strategic approach in place for keeping their business cyber secure.”

What Can You Do?

All organizations, particularly organizations that use or store others’ PII, need a comprehensive data protection plan. Lack of a plan and systems in place can create serious liability exposures.

At a minimum, you should be doing the following to protect your data:

1 Make sure all company computers have the latest security software, web browsers and operating systems to protect against viruses, malware and other online threats.

If you don’t have the time or resources to create your own cyber security audit and plan, your ISP may offer specialized services for small businesses. The NCSA has a list of other resources available at https://staysafeonline.org/business-safe-online/implement-a-cybersecurity-plan.

No cyber security program is complete without insurance. Cyber insurance can protect your organization from the cost of correcting a security breach, notifying victims and even help protect them from identity theft. For more information, please contact us.

No Comments

Post a Comment

Name

Required

E-Mail

Required (Not Displayed)

Comment

Required

All comments are moderated and stripped of HTML.

Submission Validation

Required

Enter the Validation Code from above.

NOTICE: This blog and website are made available by the publisher for educational and informational purposes only.
It is not be used as a substitute for competent insurance, legal, or tax advice from a licensed professional
in your state. By using this blog site you understand that there is no broker client relationship between
you and the blog and website publisher.